Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Docker Secures Container Secrets in Datacenter Update

Docker releases updated versions of its open-source and commercial container platforms, adding new security features to help safeguard privileged access information.

Docker is advancing its open-source container engine as well as its commercially supported Docker Datacenter platform with enhanced capabilities designed to help safeguard container secrets. Secrets in the context of container applications are access tokens, passwords and other privileged access information that needs to be kept secure. The Docker 1.13 container engine release that debuted on Jan. 19 featured a new secrets management capability that has been further enhanced in the Docker 1.13.1 update released on Feb. 8.

Additionally, Docker is now bringing the secrets management capability to a new update of Docker Datacenter announced Feb. 9 that is based on Docker 1.13.1. Docker Datacenter is Docker Inc's flagship commercial platform and was first released back in February 2016.

"As a platform provider, we want to make sure we're doing a good job of helping people secure applications and the secrets that are used by applications," Nathan McCauley, Security Director at Docker, told eWEEK.

From a deployment perspective, only the assigned applications within a cluster of docker engines known as a 'swarm' are able to access secrets. McCauley emphasized that applications running on the same infrastructure should not know each other's secrets, they should only know the secrets they are specifically authorized to access.

Further reading

The primary difference between the secrets management capability in the open-source Docker 1.13.1 update and what Docker Datacenter enables is additional access control. McCauley explained that Docker swarm has access control for the applications that need to access a secret when running in a cluster.

"What Docker Datacenter adds is access control for the human developers and administrators that are interfacing with the system," McCauley said. "So you can assign secrets to a team and that team is then allowed to assign secrets to their own applications."

The role based access control in the Docker Datacenter update can also be integrated with existing enterprise identity systems, including Microsoft's ActiveDirectory.

Simply storing secrets securely, however, isn't enough to keep secrets safe, as there still could be a potential risk of a secret being leaked by an application.

"Applications are safer when the secret isn't actually stored in the application itself," McCauley explained.

To that end, Docker encrypts the backend storage where the secrets are stored in the swarm and all delivery of secrets to container applications occurs over secure Transport Layer Security (TLS) tunnels. The secrets are only available to applications in-memory and are not stored again to the individual application container's storage segment.

The idea of having a secrets management facility for applications is not a new one. The open-source Vault project is another effort that provides secrets management and is currently also integrated with the Aqua Container Security Platform 2.0 update that was released on Feb. 2.

"Vault has implemented a good system, but it's not integrated by default into the container management platform," McCauley said. "Our belief at Docker is that you need a secrets management capability that is deeply integrated, to bridge the developer and operations workflows."